Platform
linux
Component
no-machine
Fixed in
9.3.8
CVE-2026-5054 is a privilege escalation vulnerability discovered in NoMachine, allowing local attackers to gain elevated privileges. This flaw stems from inadequate validation of user-supplied file paths, enabling attackers to execute arbitrary code. The vulnerability impacts NoMachine versions 9.3.7–9.3.7, and a patch is available to address the issue.
Successful exploitation of CVE-2026-5054 allows a local attacker to escalate their privileges on the affected system. This means an attacker who already has some level of access (e.g., a standard user) can gain root or administrator access, effectively taking complete control of the machine. The attacker could then install malware, steal sensitive data, modify system configurations, or perform other malicious actions. The blast radius is limited to the local system, but the impact can be severe if the compromised system holds critical data or services. This vulnerability shares similarities with other privilege escalation flaws where improper input validation leads to unauthorized access.
CVE-2026-5054 was publicly disclosed on 2026-04-11. The vulnerability's severity is rated HIGH with a CVSS score of 7.8. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation (local attacker only) suggests it could become a target. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5054 is to upgrade to a patched version of NoMachine. The vendor has released a fix to address the insufficient path validation. If immediate upgrade is not possible due to compatibility concerns or system downtime requirements, consider implementing stricter file access controls and limiting the privileges of user accounts. While not a direct fix, these measures can reduce the potential impact of a successful exploit. Monitor system logs for suspicious activity related to file operations, particularly those involving user-supplied paths. After upgrading, confirm the fix by attempting to reproduce the vulnerability with a known exploit vector and verifying that the path validation is now enforced.
Update NoMachine to a patched version. The vulnerability exists in version 9.3.7, so updating to the latest version available provided by NoMachine is recommended to mitigate the risk of privilege escalation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5054 is a HIGH severity privilege escalation vulnerability affecting NoMachine versions 9.3.7–9.3.7. It allows local attackers to gain elevated privileges due to insufficient path validation in command line parameter handling.
If you are running NoMachine version 9.3.7–9.3.7, you are potentially affected by this vulnerability. Upgrade to the latest available version to mitigate the risk.
The recommended fix is to upgrade to a patched version of NoMachine. Check the vendor's website for the latest version and installation instructions.
As of the current disclosure date, there are no known public exploits or active campaigns targeting CVE-2026-5054, but it remains a potential target due to its ease of exploitation.
Please refer to the official NoMachine security advisory on their website for detailed information and updates regarding CVE-2026-5054.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.